Design and Implementation of Conflict Detection System for Time-Based Firewall Policies

Firewalls are one of the most common mechanisms used to protect the network from unauthorized access and security threats. Nowadays, time-based firewall policies are widely in use in many firewalls such as CISCO ACLs and Linux iptables to control network traffic with respect to time. However, network administrators struggle to maintain the firewall policies due to their high complexity. A conflict is a misconfiguration that occurs due to mismanagement of a firewall policy. Detection of conflicts and reconfiguration of the policies to discard conflicts is an extremely complicated task for any network administrator. Even though there are currently many conflict detection techniques, the prevailing techniques cannot deal with time-based firewall policies. As a result, when they are applied to time-based firewall policies, the time fields are ignored; therefore, the problem of obtaining false positive results arises, stating a non-conflict as a conflict. This problem has not been addressed in previous researches regardless of its significance. In this paper, we have formalized the conflict detection problem by designing a time-based firewall policy similar to the Linux iptables and CISCO ACLs. We have proposed a system to detect conflicts by extending the topology-based spatial analysis of firewall policies without time fields to time-based firewall policies, and we have presented the implementation of the proposed system in detail. Furthermore, we have evaluated the feasibility and usefulness of the proposed system by conducting experiments with various time-based firewall policies, and we have verified the effectiveness of the proposed system.